20 Healthcare Cyber Security Statistics
- August 3, 2022
The nature of the healthcare industry makes it a perfect target for cyber attacks: targeting an organization or an individual’s cyberspace to destroy or maliciously control their cyber environment. Healthcare can’t afford downtimes. It can’t afford delays in operations. Lives are at stake. We know this. You know this. And cybercriminals know this as well.
One needn’t look past the Conti incident in Ireland. Conti hacking group attacked the country’s health system proving why healthcare data breaches are so costly. In the initial attack, the hackers demanded $20 million for ransomware: they threatened to release protected patient information should the country refuse to pay the group’s demands. The attack’s aftermath was even more disastrous, totaling $100 million in damages due to workflow interruptions. Therefore, healthcare presents a lucrative opportunity for those with malicious intent. Let’s take a closer look at some statistics on why that might be.
1. For twelve consecutive years, data breaches in healthcare remain the costliest industry breach, averaging around $10 million per successful attack.
This information makes attacks on healthcare costlier than those in finance (close to $6 million) or pharmaceuticals ($5.1 million). The pharmaceutical industry shows successful defense against cyber attacks, as the cost of data breaches lowered from 2021 ($5.4 million).
2. The healthcare sector has seen a 69% increase in cyber attacks from 2020 to 2022.
Healthcare cyber attacks have the largest increase in volume compared to other industries.
3. The cost of cyber attacks on healthcare continues to increase, with a 9.4% increase from 2021 to 2022.
Even though we don’t see a decline in attacks, it is worth mentioning that, at the very least, the increase is now lesser than it was in the previous year. For comparison, in 2020, the average cost of a cyber attack in healthcare was $7.13 million, compared to $9.2 million in 2021, showing a 29.5% increase from 2020 to 2021.
4. The cost of a single stolen record in a data breach in healthcare is $429.
In 2019, healthcare had the highest cost of stolen records, sitting at more than $400 per record. This means stolen healthcare records were twice as costly as financial records ($210) and technology ($183).
5. From 2018 to 2021, the number of data breaches in healthcare increased by almost 100%.
In the first half of 2018, the number of breaches in the industry was 185. In the first half of 2021, that number rose to 327.
6. The Secretary of the U.S. Department of Health and Human Services listed 592 breaches in 2020.
The Hitech Act requires the Secretary to post a list of breaches affecting 500 people or more. The top three breaches (undisclosed) happened in Michigan, Ohio, and Florida, with 3,320,726, 1,474,000, and 1,290,670 affected individuals, respectively.
7. 70% of healthcare data breaches reported in the first half of 2021 were classified as “hacking.”
The Department of Health and Human Services classifies IT incidents into the following categories: theft, improper disposal, loss, unauthorized access/disclosure, and hacking/IT incident. Hacking is defined as any unauthorized access due to criminal activity, suggesting criminals prefer to target the healthcare sector.
8. In 2021, there were 521 hacking incidents.
Due to the rising hacking events, more than 43 million people had their records breached. Healthcare data breaches occur in several ways: through endpoint (laptop or computer), EMRs, or emails and network servers.
9. 79% of critical infrastructure industries don’t adopt a zero-trust security approach.
Zero-trust policy is a security approach that requires validation at every stage of digital interaction. Based on classification by the US Cybersecurity and Infrastructure Security Agency (CISA), critical infrastructure industries include healthcare, technology, finance, and education, among others, suggesting that almost 80% of these organizations lack proper security. This includes healthcare and cybersecurity.
10. Ransomware and destructive attacks comprise 28% of critical infrastructure attacks.
Unlike ransomware, where attackers keep the data hostage, destructive attacks have the overall purpose of damaging or destroying the data altogether. Within critical infrastructure industries, 12% of attacks were ransomware, whereas 16% were destructive attacks.
11. The number of hacking increased by almost 300% from 2018 to 2021.
Furthermore, cyber attacks on healthcare appear to be increasing, suggesting that organizations must allocate more funds and efforts to combat cybercriminals.
12. Healthcare business partners accounted for 43% of breaches in 2021.
Attackers look for the easiest targets. Smaller medical practices, mental health clinics, or business associates such as claims processors present an easy target for cybercriminals. A healthcare data breach can thus occur not only through health organizations but also those connected to the industry.
In the first six months of 2021, there were 141 breaches, compared to 66 in 2019.
13. The total number of people affected by healthcare cyber attacks was 45 million in 2021, up from 34 million in 2020.
This statistic is understandable: we have already concluded that ransomware pays well, especially within the healthcare industry. While personally identifiable information can be costly in other sectors, the healthcare industry also handles protected health information which carries many potential problems should it be revealed.
14. In 2021, healthcare data breaches resulted in 94% of healthcare members reporting that attacks on their systems impacted their ability to operate.
Additionally, 90% of private organizations reported a loss of revenue. An example can be made of Tenet Healthcare which, in July 2022, reported a loss of $100 million following an April cyberattack.
15. US healthcare spending will increase from nearly $8 trillion in 2013 to more than $18 trillion by 2040.
This increase in spending comes from increased attacks with rising costs per breach. Therefore, organizations and sectors are turning towards cybersecurity and increased budgets to protect against online threats.
16. The healthcare cybersecurity market will increase 15% yearly until reaching $125 billion by 2025.
Rising costs of attacks result in increasing costs of protection. Different sectors are now relying on artificial intelligence to be a layer of defense against IoT threats.
17. The healthcare industry allocates 4% to 7% of its budget to cybersecurity, compared to 15% of other sectors.
Given the low amount of investment in cybersecurity, it is understandable that healthcare presents a lucrative opportunity for cybercriminals for many reasons.
18. Using artificial intelligence in defense against cyberattacks resulted in more than 50% cost reduction.
AI in cybersecurity healthcare drastically reduced the cost of breaches, given the machine learning algorithm’s ability to recognize and thwart potential attacks.
19. 24% of U.S. health employees never received any training related to cybersecurity.
While almost a quarter of health employees received zero cybersecurity training, 40% of employees are unaware of healthcare cybersecurity measures at their workplace. This is a staggering statistic: cybersecurity training usually costs between $3,000 and $8,000. We already mentioned how costly breaches could be, especially in healthcare. Further, paying the ransom is merely 15% of the total costs arising from a security breach.
20. The most significant hacking incident affected almost 80 million people.
In 2015, data breaches in healthcare culminated with the attack on the health insurer Anthem, resulting in 78.8 million people having their PHI stolen.
